DUBLIN, Calif. — March 20, 2026 — Safeguard today released DORA and NIS2 compliance packs, bringing two of the European Union's most consequential software supply chain regulations into the platform's continuous evidence pipeline. The packs ship pre-mapped control narratives, signed artifact bundles per release, and an auditor view designed to be handed directly to regulators and internal risk committees.
The Digital Operational Resilience Act (DORA) and the revised Network and Information Security Directive (NIS2) impose new, specific obligations on software produced by or for in-scope organizations in the European Union. Both frameworks require demonstrable, ongoing evidence of third-party software risk management — not point-in-time attestations. Safeguard's compliance packs target the evidence problem first: for every release, the platform emits a signed Software Bill of Materials, a VEX statement covering known-affected components, and a provenance record tying the build to the source commit and the build runner.
The packs include a control mapping layer that translates raw platform telemetry into the narrative language used by each framework. For DORA, that means ICT third-party risk articles, incident reporting timelines, and resilience testing evidence. For NIS2, that means supply chain security obligations under Article 21 and incident notification obligations under Article 23. Customers can export an auditor bundle that includes the control narrative, the underlying signed artifacts, and a vendor concentration heatmap showing where critical dependencies cluster around a small number of upstream maintainers.
"DORA and NIS2 are the first major regulations that treat the software supply chain as a continuous risk surface rather than a point-in-time assessment," said Hritik Kumar Sharma, Founder and CEO of Safeguard. "The compliance packs reflect that — they produce evidence on every release, not on every audit."
The vendor concentration view, in particular, addresses a class of risk that regulators have begun to surface explicitly: dependency graphs that look diverse at the top level but collapse to a small number of maintainers two or three transitive hops down. The Safeguard view highlights the concentration, identifies the maintainers, and links to the relevant components in the SBOM.
"Continuous evidence beats annual attestation for one reason," said the Safeguard engineering team. "The evidence is true at the moment the release ships, not at the moment the auditor asks."
DORA and NIS2 compliance packs are available to all Safeguard customers immediately. Customers operating in additional jurisdictions can layer the packs alongside existing SOC 2 and NIST control mappings.
About Safeguard
Safeguard is the software supply chain security platform that fuses 11 scanners, a security-only AI model lineup (Griffin · Eagle · Lion), and reachability-aware reasoning to find what pattern scanners miss — from CVEs to candidate zero-days — and to ship the fix with cited reasoning. The platform is built for engineering teams shipping production software and for the regulators auditing them. Learn more at https://safeguard.sh.